CN110838912A - Key management method, device, equipment and computer medium based on block chain - Google Patents
Key management method, device, equipment and computer medium based on block chain Download PDFInfo
- Publication number
- CN110838912A CN110838912A CN201911128865.5A CN201911128865A CN110838912A CN 110838912 A CN110838912 A CN 110838912A CN 201911128865 A CN201911128865 A CN 201911128865A CN 110838912 A CN110838912 A CN 110838912A
- Authority
- CN
- China
- Prior art keywords
- key
- sub
- block chain
- secret
- mnemonic
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0894—Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
- H04L2209/24—Key scheduling, i.e. generating round keys or sub-keys for block encryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/50—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using hash chains, e.g. blockchains or hash trees
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Financial Or Insurance-Related Operations Such As Payment And Settlement (AREA)
- Storage Device Security (AREA)
Abstract
The invention relates to the technical field of financial technology (Fintech), and discloses a key management method based on a block chain, which comprises the following steps: when a key escrow request is received, acquiring a key corresponding to the key escrow request and escrow information of the key; generating mnemonics corresponding to the secret key according to a preset mnemonic generation algorithm; processing the mnemonic words according to the key escrow information to obtain sub-secrets corresponding to the mnemonic words, and sending the sub-secrets to block chain nodes corresponding to the key escrow information; when a key acquisition request is received, transmitting an acquisition request to the block chain nodes, and receiving the sub-secrets fed back by the block chain nodes based on the acquisition request; recovering the mnemonic word according to the sub-secret, and recovering the secret key based on the mnemonic word. The invention also discloses a key management device, equipment and a computer medium based on the block chain. The invention realizes the effective management of the key.
Description
Technical Field
The present invention relates to the field of financial technology (Fintech), and in particular, to a method, an apparatus, a device, and a computer medium for block chain-based key management.
Background
With the development of computer technology, more and more technologies are applied in the financial field, and the traditional financial industry is gradually changing to financial technology (Fintech), but due to the requirements of the financial industry on safety and real-time performance, higher requirements are also put forward on the technologies.
In order to protect the transaction information of transaction participants, the account address of a sender needs to be changed every time when a transaction is sent in a blockchain network. Random key management can randomly generate a large number of public and private key pairs. Each time a transaction is sent by a new private key signature, each private key needs to be stored by a user, and the loss of the private key causes the loss of the corresponding account ownership and use right.
Disclosure of Invention
The invention mainly aims to provide a method, a device, equipment and a computer medium for managing a key based on a block chain, and aims to solve the technical problem that the key is lost and is difficult to recover in the field of the current block chain.
In order to achieve the above object, the present invention provides a key management method based on a block chain, where the key management method based on the block chain includes the following steps:
when a key escrow request is received, acquiring a key corresponding to the key escrow request and escrow information of the key;
generating mnemonics corresponding to the secret key according to a preset mnemonic generation algorithm;
processing the mnemonic words according to the key escrow information to obtain sub-secrets corresponding to the mnemonic words, and sending the sub-secrets to block chain nodes corresponding to the key escrow information;
when a key acquisition request is received, transmitting an acquisition request to the block chain nodes, and receiving the sub-secrets fed back by the block chain nodes based on the acquisition request;
recovering the mnemonic word according to the sub-secret, and recovering the secret key based on the mnemonic word.
In an embodiment, the step of generating the mnemonic word corresponding to the key according to a preset mnemonic word generation algorithm includes:
generating an entropy of a random sequence according to a preset mnemonic word generation algorithm, carrying out hash calculation on the entropy to obtain an entropy hash value, and obtaining m bits before the entropy hash value as a checksum, wherein m is greater than or equal to 1;
adding the checksum to the end of the entropy to obtain a sequence number, and dividing the sequence number to obtain a number unit;
and corresponding the numbering units with a preset dictionary to obtain a character string with an order, and taking the character string as a mnemonic word.
In an embodiment, the step of processing the mnemonic word according to the key escrow information to obtain a sub-secret corresponding to the mnemonic word, and sending the sub-secret to a block chain node corresponding to the key escrow information includes:
extracting the node number n and a threshold value t in the key escrow information, wherein the node number n is greater than or equal to the threshold value t, and the threshold value t refers to the number of necessary block link points for recovering mnemonics;
encoding the mnemonic words to form a numeric master secret s, selecting the threshold value t-1 coefficients, and constructing a t-1 order polynomial by using the coefficients, wherein the coefficients are a1, a2 to at-1, and the polynomial is f (x) s + a1 x + a2 x2+ at-1 xt-1;
and taking the independent variable and the dependent variable in the polynomial as one sub-secret, sending the sub-secret to the block chain link point corresponding to the node number n, and destroying the polynomial.
In an embodiment, the step of sending the sub-secret to the block link point corresponding to the node number n and destroying the polynomial includes:
determining block chain link points corresponding to the node number n and topic names concerned by the block chain nodes;
and connecting the block chain nodes according to an on-chain messenger protocol of the block chain, sending the sub-secret corresponding to the subject name to the block chain nodes through the subject name channel, and destroying the polynomial.
In an embodiment, the step of sending an acquisition request to the blockchain node and receiving a sub-secret fed back by the blockchain node based on the acquisition request when receiving a key acquisition request includes:
when a key acquisition request is received, selecting the threshold value t target block chain nodes from the n block chain nodes;
and sending an acquisition request to the target block chain node, and acquiring the sub-secret fed back by the target block chain node based on the acquisition request through the t chain messenger channels of the threshold value.
In one embodiment, the step of recovering the mnemonic word from the sub-secret comprises:
reconstructing a polynomial through the threshold value t, wherein the sub-secrets are an independent variable i and a dependent variable f (i), and the reconstructed polynomial is:
and obtaining the numerical master secret s ═ f (0) through the reconstructed polynomial calculation, and converting the numerical master secret s into a mnemonic word.
In one embodiment, the step of recovering the key based on the mnemonic word comprises:
dividing the mnemonics into messages and character strings, and iterating the character strings by calling functions to generate character string seeds;
separating the character string seed into a main private key and a chain code corresponding to the main private key, wherein the chain code is used for generating a sub private key according to the main private key;
and deriving a sub-private key according to a preset private key derivation algorithm, and taking the sub-private key as a key corresponding to the acquisition request.
In order to achieve the above object, the present invention provides a key management device based on a block chain, including:
the first receiving module is used for acquiring a key corresponding to a key escrow request and escrow information of the key when the key escrow request is received;
the mnemonic word generating module is used for generating a mnemonic word corresponding to the secret key according to a preset mnemonic word generating algorithm;
the processing and sending module is used for processing the mnemonic words according to the key escrow information to obtain sub-secrets corresponding to the mnemonic words and sending the sub-secrets to the block chain nodes corresponding to the key escrow information;
a second receiving module, configured to send an acquisition request to the block link node when receiving a key acquisition request, and receive a sub-secret fed back by the block link node based on the acquisition request;
and the key recovery module is used for recovering the mnemonic words according to the sub-secret and recovering the key based on the mnemonic words.
In addition, to achieve the above object, the present invention further provides a key management device based on a block chain, including: a memory, a processor and a blockchain based key management program stored on the memory and executable on the processor, the blockchain based key management program when executed by the processor implementing the steps of the blockchain based key management method as described above.
Further, to achieve the above object, the present invention also provides a computer readable storage medium having a blockchain based key management program stored thereon, which when executed by a processor implements the steps of the blockchain based key management method as described above.
The invention provides a key management method, a key management device, key management equipment and a computer medium based on a block chain. In the embodiment of the invention, when a key escrow request is received, a key corresponding to the key escrow request and escrow information of the key are obtained; generating mnemonics corresponding to the secret key according to a preset mnemonic generation algorithm; processing the mnemonic words according to the key escrow information to obtain sub-secrets corresponding to the mnemonic words, and sending the sub-secrets to block chain nodes corresponding to the key escrow information; when a key acquisition request is received, transmitting an acquisition request to the block chain nodes, and receiving the sub-secrets fed back by the block chain nodes based on the acquisition request; recovering the mnemonic word according to the sub-secret, and recovering the secret key based on the mnemonic word. In the embodiment, the key management device converts the key into the mnemonic word, processes the mnemonic word to generate the sub-secret, distributes the sub-secret based on the chain messenger protocol of the block chain, and simultaneously supports a recovery mechanism; the key management device can acquire the sub-secret used sub-secret recovery mnemonic words from the escrow block chain node to recover the key, so that effective, safe, reliable and convenient escrow of the key is realized, and the permanent account loss is avoided.
Drawings
FIG. 1 is a schematic diagram of an apparatus architecture of a hardware operating environment according to an embodiment of the present invention;
FIG. 2 is a flowchart illustrating a first embodiment of a method for key management based on blockchains according to the present invention;
fig. 3 is a functional block diagram of a key management device based on a block chain according to an embodiment of the present invention.
The implementation, functional features and advantages of the objects of the present invention will be further explained with reference to the accompanying drawings.
Detailed Description
It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
As shown in fig. 1, fig. 1 is a schematic device structure diagram of a hardware operating environment according to an embodiment of the present invention.
The key management device based on the block chain in the embodiment of the invention can be a PC or a server.
As shown in fig. 1, the block chain-based key management apparatus may include: a processor 1001, such as a CPU, a network interface 1004, a user interface 1003, a memory 1005, a communication bus 1002. Wherein a communication bus 1002 is used to enable connective communication between these components. The user interface 1003 may include a Display screen (Display), an input unit such as a Keyboard (Keyboard), and the optional user interface 1003 may also include a standard wired interface, a wireless interface. The network interface 1004 may optionally include a standard wired interface, a wireless interface (e.g., WI-FI interface). The memory 1005 may be a high-speed RAM memory or a non-volatile memory (e.g., a magnetic disk memory). The memory 1005 may alternatively be a storage device separate from the processor 1001.
Those skilled in the art will appreciate that the configuration of the apparatus shown in fig. 1 is not intended to be limiting of the apparatus and may include more or fewer components than those shown, or some components may be combined, or a different arrangement of components.
As shown in fig. 1, a memory 1005, which is a kind of computer storage medium, may include therein an operating system, a network communication module, a user interface module, and a blockchain-based key management program.
In the device shown in fig. 1, the network interface 1004 is mainly used for connecting to a backend server and performing data communication with the backend server; the user interface 1003 is mainly used for connecting a client (user side) and performing data communication with the client; the processor 1001 may be configured to call the key management program based on the block chain stored in the memory 1005, and execute the following operations in the key management method based on the block chain, where the method implemented when the key management program based on the block chain running on the processor is executed may refer to each embodiment of the key management method based on the block chain of the present invention, and details are not described here again.
At present, a random key management scheme, a deterministic hierarchical key management scheme and the like are generally adopted, the random key management scheme refers to a key generation method controlled by a certain random algorithm, which is the most common key generation method at present, and generates a key according to a certain random algorithm or a random number table determined in advance, but due to the characteristics of the algorithm, the key generated by any algorithm can be predicted. The deterministic hierarchical key management can be started by a mnemonic word, the mnemonic word generates a seed, the seed generates a main private key, the sub private key is derived through the main private key, the sub private key can be continuously derived, and a new sub private key signature is selected when a transaction is sent. The mnemonic words are kept unchanged, the user needs to store the mnemonic words, but does not need to store the main private key and the sub private keys thereof, the defect of random key management is overcome, and the user does not need to manage a large number of private keys and only needs to store one unchanged mnemonic word. But introduces a new problem that if the mnemonic word is lost, all private keys derived from the mnemonic word are lost, and ownership and use right of the corresponding account of the private key are lost, and the loss of the deterministic and hierarchical key management mode is larger than that of a random key management scheme.
The scheme of the embodiment of the invention is an improvement aiming at a deterministic hierarchical key management scheme, and relates to a key management method based on a block chain.
Based on the hardware structure, the embodiment of the key management method based on the block chain is provided.
Referring to fig. 2, fig. 2 is a schematic flowchart of a first embodiment of a key management method based on a block chain according to the present invention, where the key management method based on a block chain includes:
step S10, when receiving the key escrow request, obtains a key corresponding to the key escrow request and escrow information of the key.
In this embodiment, the key management method based on the blockchain is applied to the key management device based on the blockchain, the key management device receives the key escrow request, and a triggering manner of the key escrow request is not specifically limited, that is, the key escrow request may be actively triggered by a user, for example, the user selects a key to be escrowed and clicks a "management" key on a display interface of a service node (also called a transaction terminal), the key escrow request is actively triggered, and the transaction terminal sends the key escrow request to the key management device; in addition, the key escrow request can also be triggered automatically by the key management device, for example, the key management device is preset to generate a new key automatic triggering escrow request every transaction, and the key management device automatically triggers the key escrow request when the transaction generates the new key.
When the key management device receives the key escrow request, the key management device obtains the key in the key escrow request and escrow information of the key. The escrow information includes an escrow block link point identifier, a block link point number n, and a minimum block link node number t (also called a threshold value t, it can be understood that the block link node number n is greater than or equal to the node number t) that the key needs to be recovered.
And step S20, generating mnemonics corresponding to the key according to a preset mnemonic generation algorithm.
The key management device is provided with a preset mnemonic word generation algorithm, the preset mnemonic word generation algorithm is a random algorithm which is preset and used for generating mnemonics, the key management device takes a group of English words, Chinese characters or other language characters generated by the preset mnemonic word generation algorithm as the mnemonics, the number of the characters in the mnemonics in the embodiment is not specifically limited, for example, the mnemonics comprise 12 characters, it can be understood that the mnemonics are very important parameters, and a user needs to properly store the mnemonics for recovering keys, so that related transaction accounts are recovered.
The embodiment provides a specific implementation manner of generating mnemonic words, which includes:
a1, generating an entropy of a random sequence according to a preset mnemonic word generation algorithm, carrying out hash calculation on the entropy to obtain an entropy hash value, and acquiring m bits before the entropy hash value as a checksum, wherein m is greater than or equal to 1;
a2, adding the checksum to the end of the entropy to obtain a sequence number, and dividing the sequence number to obtain numbering units;
step a3, corresponding the numbering units to a preset dictionary to obtain an ordered character string, and using the character string as a mnemonic word.
That is, in this embodiment, the key management device generates an entropy of the random sequence according to a preset mnemonic generation algorithm, the key management device performs hash calculation on the entropy to obtain an entropy hash value, and the key management device obtains m bits before the entropy hash value as a checksum, where m may be determined according to an entropy length, for example, m is equal to the entropy length/32, and it is understood that m is greater than or equal to 1; the key management equipment adds the check sum to the tail of the entropy to obtain a sequence number, and divides the sequence number to obtain a number unit; the key management device obtains the character string with the order by corresponding the numbering unit with a preset dictionary (the preset dictionary refers to a dictionary preset in the key management device), and takes the character string as a mnemonic word.
For example, ① key management device generates a random sequence (entropy) with length of 128-256 bits according to a preset mnemonic generation algorithm, ② key management device takes the first m bits after entropy hashing as a checksum (m is entropy length/32) to create a checksum of the random sequence, ③ key management device adds the checksum to the end of the random sequence (entropy), ④ key management device divides the sequence into a plurality of parts according to every 11 bits, ⑤ key management device corresponds each value containing 11 bits with a dictionary which has predefined 2048 english words, chinese characters or other language characters, ⑥ key management device generates sequential english words, chinese characters or other language character strings which are mnemonic.
In this embodiment, the key management device converts the key into the mnemonic word, so as to facilitate the user to memorize the key, and even if the key is converted into the mnemonic word, the situation that the mnemonic word is forgotten cannot be avoided, so that the mnemonic word is managed in this embodiment, so as to facilitate the recovery of the mnemonic word after the mnemonic word is forgotten, specifically:
step S30, processing the mnemonic word according to the key escrow information, obtaining a sub-secret corresponding to the mnemonic word, and sending the sub-secret to a block chain node corresponding to the key escrow information.
The key management device processes the mnemonic words according to the key escrow information, namely the key escrow information comprises escrow block link point identification and block chain node number, the key management device processes the mnemonic words to generate sub-secrets of the block link point number, and the key management device distributes the sub-secrets to the block link points corresponding to the block link point identification through a chain protocol.
It can be understood that the specific implementation manner of the key management device processing the mnemonic word according to the key escrow information to obtain the sub-secret corresponding to the mnemonic word is not limited, and specifically, the implementation manner is as follows: the key management equipment divides the mnemonic words to obtain character strings, and encrypts the divided character strings to obtain the mnemonic words; the implementation mode two is as follows: the key management device converts the mnemonic words into numerical values, constructs a polynomial according to the numerical values, and takes the constructed polynomial as a sub-secret.
In this embodiment, a mnemonic word is generated by a preset mnemonic word generation algorithm, and management of a secret key is realized by managing the mnemonic word, so that a user maintains ownership of an account corresponding to the secret key, and when the user forgets the mnemonic word, the mnemonic word can be recovered, specifically:
step S40, when receiving a key acquisition request, sending an acquisition request to the block chain node, and receiving a sub-secret fed back by the block chain node based on the acquisition request.
When the key management device receives the key acquisition request, the key management device sends the acquisition request to the block chain nodes, the block chain nodes receive the acquisition request and respectively send the sub-secrets through the appointed channels according to the chain messenger protocol, and the key management device acquires the sub-secrets from the chain messenger channels.
Step S50, restoring the mnemonic word according to the sub-secret, and restoring the key based on the mnemonic word.
The key management device recovers the mnemonic word based on the sub-secret, that is, the key management device reversely processes the sub-secret to generate the mnemonic word, for example, the mnemonic word to the sub-password is division encryption, and then the sub-secret to the mnemonic word is decryption concatenation, and the key management device recovers the key based on the mnemonic word, specifically, the key management device includes:
b1, dividing the mnemonics into messages and character strings, and iterating the character strings by calling functions to generate character string seeds;
b2, separating the character string seed into a main private key and a chain code corresponding to the main private key, wherein the chain code is used for generating a sub private key according to the main private key;
step b3, deriving a sub-private key according to a preset private key derivation algorithm, and using the sub-private key as a key corresponding to the acquisition request.
Namely, the key management equipment divides the mnemonics into messages and character strings, and iterates the character strings by calling functions to generate character string seeds; the method comprises the steps that a secret key management device separates a character string seed into a main private key and a chain code corresponding to the main private key, wherein the chain code is used for generating a sub private key according to the main private key; the private key derivation algorithm preset by the key management device refers to a preset generation algorithm.
And the key management equipment derives a sub-private key according to a preset private key derivation algorithm, and takes the sub-private key as a key corresponding to the acquisition request.
In the embodiment, the key management device converts the key into the mnemonic word, processes the mnemonic word to generate the sub-secret, distributes the sub-secret based on the chain messenger protocol of the block chain, and simultaneously supports a recovery mechanism; the key management device can acquire the sub-secret used sub-secret recovery mnemonic words from the escrow block chain node to recover the key, so that effective, safe, reliable and convenient escrow of the key is realized, and the permanent account loss is avoided.
Further, on the basis of the first embodiment of the key management method based on the block chain, the second embodiment of the key management method based on the block chain is provided.
The difference between this embodiment and the first embodiment is that in this embodiment, it is not necessary for all block chain nodes that receive the sub-secret to recover the sub-secret, and the recovery of the key can also be implemented, specifically:
first, in the present embodiment, the step S30 in the first embodiment is detailed, and includes:
and extracting the node number n and a threshold value t in the key escrow information, wherein the node number n is greater than or equal to the threshold value t, and the threshold value t refers to the number of necessary block link points for recovering mnemonics.
Encoding the mnemonic words to form a numeric master secret s, selecting the threshold value t-1 coefficients, and constructing a t-1 order polynomial with the coefficients, wherein the coefficients are a1, a2 up to at-1, and the polynomial is f (x) s + a1 x + a2 x2+ at-1 xt-1.
And taking the independent variable and the dependent variable in the polynomial as one sub-secret, sending the sub-secret to the block chain link point corresponding to the node number n, and destroying the polynomial.
That is, the key management device extracts the number n of nodes and the threshold value t in the key escrow information, and the specific flow of performing the threshold encryption mnemonic word is as follows:
1. the key management device selects the number n of block chain link point nodes and a threshold value t, namely at least t block chain link points in the n block chain nodes provide sub-secrets so as to recover the mnemonic words. Wherein, the t block chain link points can be controlled by a key management device or other alliance chain participants;
2. the key management device encodes the mnemonic word into a numeric master secret s and then selects t-1 coefficients a1, a2, … at-1, constructing a t-1 order polynomial as: (x) s + a1 x + a2 x2+ at-1 xt-1.
The key management device selects n block chain link points, the block chain link points are respectively identified as P1, P2, … and Pn, the key management device takes an independent variable and a dependent variable in a polynomial as one sub-secret, the key management device sends the sub-secret to the block chain link point corresponding to the node number n based on a block chain communication protocol, and destroys the polynomial, for example, the sub-secret to which Pi is distributed is (i, f (i)), wherein 1< ═ i1< i2< … < ═ n. The n sub-secrets are similar to the sub-private keys, the block chain nodes are each kept properly, and then the key management device destroys the polynomial.
The specific flow of distributing the sub-secrets based on the blockchain is as follows:
1. the key management device distributes the sub-secrets using an on-chain messenger protocol of the blockchain, the key management device connects to one blockchain node through a blockchain toolkit (SDK), and the other blockchain SDKs connect to the other blockchain nodes, respectively.
2. The key management device determines the topic (topic) name concerned by the respective block chain SDK, e.g. the topic name corresponding to the sub-secret (i, f (i)) is share _ i. Then, the SDKs of other block chains start the service terminals of the messenger protocol on the chain of each block chain, and the service terminals pay attention to the determined topic. And finally, the key management device opens the messenger protocol client side on the chain through the block chain SDK, and respectively sends the sub-secrets (i, f (i)) through a channel with the appointed topic name as ahare _ i, and other block chain nodes receive the sub-secrets sent by the key management device through the topic channel monitored by the SDK. The channels share the blockchain network, but are isolated from each other, so that the sub-secrets of each blockchain node are different, and then the sub-secrets are locally stored separately. Up to this point, the distribution of the sub-secret based on the block chain's on-chain messenger protocol is complete.
For example, 1, the key management apparatus encodes the mnemonic word to form a numeric master secret s of 100, and selects a threshold of (n, t) ═ 4,3, that is, n is 4 and t is 3. Therefore, the numeric master secret s needs to be divided into 4 sub-secrets, and at least 3 sub-secrets are required for recovery. A polynomial of order t-1, i.e. 3-1 ═ 2, can be constructed, given polynomial coefficients 5, 3, then the polynomial is: f (x) 100+5 x +3 x 2. Thus, the 4 sub-secrets can be selected as: (1, f (1)) ═ 1,108, (2, f (2)) ═ 2,122, (3, f (3)) ═ 3,142) and (4, f (4)) ═ 4,168; 2. the key management device selects 4 nodes in the block chain to store the sub-secrets, the block chain SDK connecting the 4 nodes respectively focuses on topic as share _1, share _2, share _3 and share _4, and all start messenger protocol service terminals on the chain. The key management device opens the messenger protocol client on the chain through the block chain SDK, sends (1,108), (2,122), (3,142) and (4,168) to topic for share _1, share _2, share _3 and share _4 respectively, the messenger protocol client on the chain receives the corresponding sub-secret and then stores locally, and destroys the polynomial.
Next, in the present embodiment, step S40 in the first embodiment is detailed:
and when a key acquisition request is received, selecting the threshold value t target block chain nodes from the n block chain link points of the node number.
And sending an acquisition request to the target block chain node, and acquiring the sub-secret fed back by the target block chain node based on the acquisition request through the t chain messenger channels of the threshold value.
That is, the sub-secrets are requested and the mnemonics are recovered, and if the key management device loses the stored mnemonics, the t sub-secrets can be requested to be obtained through at least t block chain nodes in the n block chain nodes. The specific flow of requesting the sub-secrets based on the blockchain is as follows:
1) the key management device opens the messenger protocol server on the chain through the block chain SDK, pays attention to t pieces of topic, the name of the topic is share _ i, and other block chains SDK open messenger protocol clients on the chain and respectively send the sub-secrets (i, f (i)) to the channel with the name of the topic being share _ i.
2) The key management device obtains t sub-secrets from the t on-chain messenger channels through the blockchain SDK.
Again, this embodiment refines step S50 in the first embodiment, and includes:
reconstructing a polynomial through the threshold value t, wherein the sub-secrets are an independent variable i and a dependent variable f (i), and the reconstructed polynomial is:
and obtaining the numerical master secret s ═ f (0) through the reconstructed polynomial calculation, and converting the numerical master secret s into a mnemonic word.
Specifically, in the mnemonic word recovery process, t sub-secrets (i, f (i)) are obtained through t nodes of the block chain, and then the polynomial can be reconstructed:
then, the numeric master secret ss ═ f (0) is calculated. Finally, the words are converted into mnemonic words through s. Therefore, a recovery mechanism is provided for the mnemonic words of the key management equipment, and single nodes are prevented from directly acquiring the mnemonic words of the key management equipment, so that malicious nodes are prevented. And a flexible fault-tolerant mechanism is provided, namely the key management equipment can select the number of the block chain nodes, if n is larger, the fault tolerance is higher, but the resource overhead is higher.
For example, ① the key management device selects 3 nodes from 4 nodes to request to obtain the sub-secrets, such as blockchain nodes 1, 2, and 3. the key management device connects one node through a blockchain SDK, opens the messenger protocol server on the chain, and focuses on channels with topic names share _1, share _2, and share _ 3. the three blockchain SDKs connecting blockchain nodes 1, 2, 3 open the messenger protocol client on the chain, sending (1,108), (2,122), and (3,142) to the channels with topic names share _1, share _2, and share _3, respectively.
② the polynomial is reconstructed from the three sub-secrets as follows:
the recovered master secret s:
generating seeds by mnemonics: the key management device chooses to cryptographically protect their mnemonics. If the password does not exist, a null string is used instead. A seed is created by the mnemonic, and the PBKDF2 function can be called using the mnemonic as message m and the string "menemonic" + passrase (password) as the salt, iterated n times (e.g., 2048 times), and the klen (512) -bit string seed is derived using HMAC-SHA 512. Namely, seed ═ PBKDF2(HMAC-SHA512, m, salt, n, klen), where HMAC-SHA512 receives messages m and salt, iterates n times, producing a klen-bit string seed.
The seed generates a master private key: the seed is 512 bits, separated into 256 bits on the left and right, and labeled as IL and IR, respectively. The master private key M is IL, and the chain code C corresponding to the master private key is IR, where the chain code is a blinding factor used to generate the child private key.
The main private key derives a sub private key: the master private key is marked as Kpar, the master chain code is Cpar, the first derivation is started by the master private key, that is, Kpar is equal to M, and Cpar is equal to C. Let i be the sequence number of the sub-private key, and the private key derivation algorithm is as follows:
① I ═ HMAC-SHA512(Key ═ Cpar, Data ═ Kpar | | | I), I is a 512-bit sequence.
②, I is divided into 256 bits at left and right, which are denoted as IL and IR, respectively, so that the sub-private key Ki is IL + Kpar, and the sub-chain code Ci is IR.
③ loop ①② can be continued to derive the sub-private keys from the sub-private keys when the key management device sends the transaction, each time one of the sub-private keys can be selected to sign the transaction, the account address of the sender of the transaction corresponds to the public key generated by the private key.
In the embodiment, a threshold encryption technology is introduced on the basis of fully utilizing a deterministic hierarchical key management scheme, so that the key management equipment is easy to use a large number of private keys and provides a mnemonic word escrow mode. When the user loses the mnemonic words, a core mechanism for recovering the mnemonic words is provided, and the key escrow scheme based on threshold encryption is better and more stable in safety.
Referring to fig. 3, an embodiment of the present invention further provides a key management apparatus based on a block chain, where the key management apparatus based on a block chain includes:
a first receiving module 10, configured to, when a key escrow request is received, obtain a key corresponding to the key escrow request and escrow information of the key;
a mnemonic generating module 20, configured to generate a mnemonic corresponding to the secret key according to a preset mnemonic generating algorithm;
a processing and sending module 30, configured to process the mnemonic word according to the key escrow information, obtain a sub-secret corresponding to the mnemonic word, and send the sub-secret to a block chain node corresponding to the key escrow information;
a second receiving module 40, configured to send an acquisition request to the block link node when receiving a key acquisition request, and receive a sub-secret fed back by the block link node based on the acquisition request;
a key recovery module 50, configured to recover the mnemonic word according to the sub-secret, and recover the key based on the mnemonic word.
In one embodiment, the mnemonic generation module 20 includes:
the hash calculation unit is used for generating an entropy of a random sequence according to a preset mnemonic word generation algorithm, carrying out hash calculation on the entropy to obtain an entropy hash value, and acquiring m bits before the entropy hash value as a check sum, wherein m is greater than or equal to 1;
a number obtaining unit, configured to add the checksum to the end of the entropy to obtain a sequence number, and divide the sequence number to obtain a number unit;
and the mnemonic word generating unit is used for corresponding the numbering unit with a preset dictionary to obtain a character string with an order and taking the character string as a mnemonic word.
In an embodiment, the processing and transmitting module 30 includes:
the information extraction sub-module is used for extracting the node number n and a threshold value t in the key escrow information, wherein the node number n is greater than or equal to the threshold value t, and the threshold value t refers to the number of necessary block link points for recovering the mnemonics;
a polynomial construction submodule for encoding the mnemonic words to form a numeric master secret s, selecting the threshold value t-1 coefficients, and constructing a t-1 order polynomial using the coefficients, wherein the coefficients are a1, a2 up to at-1, and the polynomial is f (x) ═ s + a1 × x + a2 × 2+ at-1 xt-1;
and the sending and destroying submodule is used for taking the independent variable and the dependent variable in the polynomial as a sub-secret, sending the sub-secret to the block link point corresponding to the node number n, and destroying the polynomial.
In an embodiment, the sending and destroying submodule includes:
the node determining unit is used for determining the block chain link points corresponding to the node number n and the topic names concerned by the block chain nodes;
and the sending and destroying module is used for connecting the block chain nodes according to the chain messenger protocol of the block chain, sending the sub-secret corresponding to the subject name to the block chain nodes through the subject name channel, and destroying the polynomial.
In one embodiment, the second receiving module includes:
a node selection unit, configured to select the threshold t target block link nodes from the n block link points of the node number when receiving a key acquisition request;
and the sub-password acquisition unit is used for sending an acquisition request to the target block chain nodes and acquiring the sub-secrets fed back by the target block chain nodes based on the acquisition request through the threshold t chain messenger channels.
In one embodiment, the key recovery module includes:
a polynomial constructing unit, configured to reconstruct a polynomial through the threshold value t of the sub-secrets, where the sub-secrets include an independent variable i and a dependent variable f (i), and the reconstructed polynomial is:
and a mnemonic word generating unit, configured to obtain the numeric master secret s ═ f (0) through the reconstructed polynomial calculation, and convert the numeric master secret s into a mnemonic word.
In one embodiment, the key recovery module includes:
the mnemonic word generation unit is used for dividing the mnemonic words into messages and character strings, iterating the character strings by calling functions and generating character string seeds;
the character string separating unit is used for separating the character string seed into a main private key and a chain code corresponding to the main private key, wherein the chain code is used for generating a sub private key according to the main private key;
and the key generation unit is used for deriving a sub-private key according to a preset private key derivation algorithm, and using the sub-private key as a key corresponding to the acquisition request.
The method executed by each program module may refer to each embodiment of the block chain-based key management method of the present invention, and details are not described herein again.
It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or system that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or system. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other like elements in a process, method, article, or system that comprises the element.
The above-mentioned serial numbers of the embodiments of the present invention are merely for description and do not represent the merits of the embodiments.
Through the above description of the embodiments, those skilled in the art will clearly understand that the method of the above embodiments can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware, but in many cases, the former is a better implementation manner. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium (e.g., ROM/RAM, magnetic disk, optical disk) as described above and includes instructions for enabling a server device (e.g., a mobile phone, a computer, a server, an air conditioner, or a network device) to execute the method according to the embodiments of the present invention.
The above description is only a preferred embodiment of the present invention, and not intended to limit the scope of the present invention, and all modifications of equivalent structures and equivalent processes, which are made by using the contents of the present specification and the accompanying drawings, or directly or indirectly applied to other related technical fields, are included in the scope of the present invention.
Claims (10)
1. A key management method based on a block chain is characterized in that the key management method based on the block chain comprises the following steps:
when a key escrow request is received, acquiring a key corresponding to the key escrow request and escrow information of the key;
generating mnemonics corresponding to the secret key according to a preset mnemonic generation algorithm;
processing the mnemonic words according to the key escrow information to obtain sub-secrets corresponding to the mnemonic words, and sending the sub-secrets to block chain nodes corresponding to the key escrow information;
when a key acquisition request is received, transmitting an acquisition request to the block chain nodes, and receiving the sub-secrets fed back by the block chain nodes based on the acquisition request;
recovering the mnemonic word according to the sub-secret, and recovering the secret key based on the mnemonic word.
2. The blockchain-based key management method according to claim 1, wherein the step of generating the mnemonic word corresponding to the key according to a predetermined mnemonic word generation algorithm includes:
generating an entropy of a random sequence according to a preset mnemonic word generation algorithm, carrying out hash calculation on the entropy to obtain an entropy hash value, and obtaining m bits before the entropy hash value as a checksum, wherein m is greater than or equal to 1;
adding the checksum to the end of the entropy to obtain a sequence number, and dividing the sequence number to obtain a number unit;
and corresponding the numbering units with a preset dictionary to obtain a character string with an order, and taking the character string as a mnemonic word.
3. The blockchain-based key management method according to claim 1, wherein the step of processing the mnemonic word according to the key escrow information to obtain a sub-secret corresponding to the mnemonic word, and sending the sub-secret to a blockchain node corresponding to the key escrow information includes:
extracting the node number n and a threshold value t in the key escrow information, wherein the node number n is greater than or equal to the threshold value t, and the threshold value t refers to the number of necessary block link points for recovering mnemonics;
encoding the mnemonic words to form a numeric master secret s, selecting the threshold value t-1 coefficients, and constructing a t-1 order polynomial by using the coefficients, wherein the coefficients are a1, a2 to at-1, and the polynomial is f (x) s + a1 x + a2 x2+ at-1 xt-1;
and taking the independent variable and the dependent variable in the polynomial as one sub-secret, sending the sub-secret to the block chain link point corresponding to the node number n, and destroying the polynomial.
4. The method for block chain based key management according to claim 3, wherein the step of sending the sub-secret to the block chain node corresponding to the node number n and destroying the polynomial includes:
determining block chain link points corresponding to the node number n and topic names concerned by the block chain nodes;
and connecting the block chain nodes according to an on-chain messenger protocol of the block chain, sending the sub-secret corresponding to the subject name to the block chain nodes through the subject name channel, and destroying the polynomial.
5. The method for block chain based key management according to claim 3, wherein the step of sending an acquisition request to the block chain node and receiving the sub-secret fed back by the block chain node based on the acquisition request when receiving a key acquisition request comprises:
when a key acquisition request is received, selecting the threshold value t target block chain nodes from the n block chain nodes;
and sending an acquisition request to the target block chain node, and acquiring the sub-secret fed back by the target block chain node based on the acquisition request through the t chain messenger channels of the threshold value.
6. The blockchain-based key management method of claim 3, wherein the step of recovering the mnemonic word from the sub-secret comprises:
reconstructing a polynomial through the threshold value t, wherein the sub-secrets are an independent variable i and a dependent variable f (i), and the reconstructed polynomial is:
and obtaining the numerical master secret s ═ f (0) through the reconstructed polynomial calculation, and converting the numerical master secret s into a mnemonic word.
7. The blockchain-based key management method according to any one of claims 1 to 6, wherein the step of restoring the key based on the mnemonic word includes:
dividing the mnemonics into messages and character strings, and iterating the character strings by calling functions to generate character string seeds;
separating the character string seed into a main private key and a chain code corresponding to the main private key, wherein the chain code is used for generating a sub private key according to the main private key;
and deriving a sub-private key according to a preset private key derivation algorithm, and taking the sub-private key as a key corresponding to the acquisition request.
8. A blockchain-based key management apparatus, the blockchain-based key management apparatus comprising:
the first receiving module is used for acquiring a key corresponding to a key escrow request and escrow information of the key when the key escrow request is received;
the mnemonic word generating module is used for generating a mnemonic word corresponding to the secret key according to a preset mnemonic word generating algorithm;
the processing and sending module is used for processing the mnemonic words according to the key escrow information to obtain sub-secrets corresponding to the mnemonic words and sending the sub-secrets to the block chain nodes corresponding to the key escrow information;
a second receiving module, configured to send an acquisition request to the block link node when receiving a key acquisition request, and receive a sub-secret fed back by the block link node based on the acquisition request;
and the key recovery module is used for recovering the mnemonic words according to the sub-secret and recovering the key based on the mnemonic words.
9. A blockchain-based key management apparatus, the blockchain-based key management apparatus comprising: memory, a processor and a blockchain based key management program stored on the memory and executable on the processor, the blockchain based key management program implementing the steps of the blockchain based key management method according to any one of claims 1 to 7 when executed by the processor.
10. A computer-readable storage medium, on which a blockchain-based key management program is stored, which when executed by a processor implements the steps of the blockchain-based key management method according to any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911128865.5A CN110838912B (en) | 2019-11-18 | 2019-11-18 | Block chain-based key management method, device, equipment and computer medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911128865.5A CN110838912B (en) | 2019-11-18 | 2019-11-18 | Block chain-based key management method, device, equipment and computer medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN110838912A true CN110838912A (en) | 2020-02-25 |
| CN110838912B CN110838912B (en) | 2023-07-21 |
Family
ID=69576663
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201911128865.5A Active CN110838912B (en) | 2019-11-18 | 2019-11-18 | Block chain-based key management method, device, equipment and computer medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110838912B (en) |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112001717A (en) * | 2020-10-27 | 2020-11-27 | 四川泰立科技股份有限公司 | Method, system and storage medium for calculating encryption currency of digital television |
| CN112291355A (en) * | 2020-10-30 | 2021-01-29 | 上海阿吉必信息技术有限公司 | Key backup and recovery method and device for block chain wallet |
| CN112712357A (en) * | 2020-12-30 | 2021-04-27 | 普华云创科技(北京)有限公司 | Multi-mechanism multi-chain multi-currency multi-account private key management method and system |
| CN112865971A (en) * | 2021-03-29 | 2021-05-28 | 中信银行股份有限公司 | Private key generation method and device, electronic equipment and computer readable storage medium |
| CN113141401A (en) * | 2021-04-20 | 2021-07-20 | 普华云创科技(北京)有限公司 | Multi-chain construction method and system based on master chain |
| CN113505280A (en) * | 2021-07-28 | 2021-10-15 | 全知科技(杭州)有限责任公司 | Sensitive key information identification and extraction technology for general scene |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109474424A (en) * | 2018-12-17 | 2019-03-15 | 江苏恒宝智能系统技术有限公司 | Block chain account cipher key backup and method, the system of recovery |
-
2019
- 2019-11-18 CN CN201911128865.5A patent/CN110838912B/en active Active
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109474424A (en) * | 2018-12-17 | 2019-03-15 | 江苏恒宝智能系统技术有限公司 | Block chain account cipher key backup and method, the system of recovery |
Cited By (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112001717A (en) * | 2020-10-27 | 2020-11-27 | 四川泰立科技股份有限公司 | Method, system and storage medium for calculating encryption currency of digital television |
| CN112291355A (en) * | 2020-10-30 | 2021-01-29 | 上海阿吉必信息技术有限公司 | Key backup and recovery method and device for block chain wallet |
| CN112291355B (en) * | 2020-10-30 | 2022-09-09 | 上海阿吉必信息技术有限公司 | Key backup and recovery method and device for block chain wallet |
| CN112712357A (en) * | 2020-12-30 | 2021-04-27 | 普华云创科技(北京)有限公司 | Multi-mechanism multi-chain multi-currency multi-account private key management method and system |
| CN112865971A (en) * | 2021-03-29 | 2021-05-28 | 中信银行股份有限公司 | Private key generation method and device, electronic equipment and computer readable storage medium |
| CN112865971B (en) * | 2021-03-29 | 2023-01-31 | 中信银行股份有限公司 | Private key generation method and device, electronic equipment and computer readable storage medium |
| CN113141401A (en) * | 2021-04-20 | 2021-07-20 | 普华云创科技(北京)有限公司 | Multi-chain construction method and system based on master chain |
| CN113505280A (en) * | 2021-07-28 | 2021-10-15 | 全知科技(杭州)有限责任公司 | Sensitive key information identification and extraction technology for general scene |
| CN113505280B (en) * | 2021-07-28 | 2023-08-22 | 全知科技(杭州)有限责任公司 | Sensitive key information identification and extraction technology for general scene |
Also Published As
| Publication number | Publication date |
|---|---|
| CN110838912B (en) | 2023-07-21 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110838912B (en) | Block chain-based key management method, device, equipment and computer medium | |
| CN110335043B (en) | Transaction privacy protection method, device and system based on blockchain system | |
| CN111885133A (en) | Data processing method and device based on block chain and computer storage medium | |
| CN110597824A (en) | Data storage method and device based on block chain network | |
| CN114285575B (en) | Image encryption and decryption method and device, storage medium and electronic device | |
| CN115603907A (en) | Method, device, equipment and storage medium for encrypting storage data | |
| CN112307504A (en) | Secure multi-party computing method and device, electronic equipment and storage medium | |
| CN110048833B (en) | Electric power service encryption method and device based on quantum satellite key network | |
| CN109274659B (en) | Certificateless online/offline searchable ciphertext method | |
| CN112235104B (en) | Data encryption transmission method, system, terminal and storage medium | |
| Scheid et al. | Security and standardization of a notary-based blockchain interoperability API | |
| CN112926075A (en) | SM9 key generation method, device, equipment and storage medium | |
| JP2011198079A (en) | System and method for encrypting database | |
| Takita et al. | Coded caching for hierarchical networks with a different number of layers | |
| CN111654484A (en) | Ethernet workshop covert communication method based on whisper protocol | |
| CN110944052A (en) | File transmission method, device, system, electronic equipment and storage medium | |
| CN106209772B (en) | Network data coding method, device, checking method, device and transmission method | |
| CN115361376A (en) | Government affair file uploading method and device, electronic equipment and storage medium | |
| JP2009038416A (en) | Multicast communication system, and group key management server | |
| CN115567550A (en) | File information data storage method based on block chain and national cryptographic algorithm | |
| CN114398651A (en) | Secret data sharing method and distributed system | |
| CN114073037B (en) | RLWE compression and imperceptible expansion of plaintext | |
| CN112883301A (en) | Method and device for generating short link based on 55 system and storage medium | |
| CN113852624A (en) | Data cross-network transmission method, device and computer medium thereof | |
| CN113765650A (en) | Data encryption and decryption method and device, electronic equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |